Cryptographic Key Life Cycle

Mon, 09/07/2015 - 15:27 -- pottol

Key LifeCycle

 

Cryptographic Keys both for data “at Rest” and “in Motion” (together with paired digital certificates) own proper life cycle by which manage these, logically not correlated with technology (i.e. cypher algorithm) and scope (rest, motion).

 

Key Management: Operations

The Key Management is composed by many operations, belonging to three different categories: Generation, Recovery, Disposal. The operations are briefly listed here:

1.     Generation: key spawning by the means of combination and elaboration of casual information available on system (e,g, log entry, keyboard input, etc); CSR (Certificate Sign Request) adding, if it is the case (only for “in Motion”)

a.     Back-Up: saving the key on external, off-line media, different from server on which uses it

b.     Distribution: sharing the key and configuring for use

c.     Usage: using the keys in normal ways; monitoring accesses to crypto systems and performance review

2.     Recovery (only for “at Rest”): dealing access requests to data encyphered by the means of an old key (archived but not deleted)

a.     Revocation: declaring a key as “not more in use”, following a key substitution

b.     Archive: archiving the key, holding for further recovery (only for “at Rest”)

3.     Disposal: deleting the key; no more recovery could be performed

 

Key Management: Tools

Only previously authorized tools should be used for key management (Generation, Hold, Back-Up, etc). At least 2 tools should be in place, for asymmetric and symmetric keys, respectively:

·         key-mgmt: device intended for key generation, holding, archiving. It is used for generating private keys and issuing the sign requests. It acts as an archive for storing all the keys: privaate ones and symmetrical ones

·         key-srv: device intended for symmetric key generation and usage. It performs data enciphering and de-cyphering (“Data at Rest”)

In order to guarantee needed security level, special care should be paied to these tools, belonging to the Cryptographic Operation Area, characterized by the following:

·         Protected Physical Area

·         Access Control

·         Security Monitoring